Notifications

175 views

Description

In MultiSSOv2 version, we are changing the way customisation in OOB implementation are supported.
This KB provides basic idea, how existing or new customisations can be incorporated in MultiSSOv2 version.

Release or Environment

These instructions are valid for MultiSSOv2 version, which is available in NY release onwards.

Instructions

Mapping of Script includes and Installation exits in MultiSSOv2 and MultiSSOv2

 

Plugin

Type

Customisation in v1

OOB Implementation in v2

Customisation in v2

MultiSSO

Script Include

SAML2_update1

SAML2_internal

SAML2_custom

MultiSSO_SAML2_Update1

MultiSSOv2_SAML2_internal

MultiSSOv2_SAML2_custom

Installation Exit

MultiSSO

 

MultiSSOv2

MultiSSOLogout

 

MultiSSOLogoutv2

Esignature

Script Include

ESignatureUtils

 

ESignatureUtils

SAML2_update1_esig

 

SAML2_custom_esig

UI Page

saml2_esignature_login

 

saml2_esignature_login

saml2_esignature_logout

 

saml2_esignature_logout

Processor

eSigSaml2AssertionConsumer

 

eSigSaml2AssertionConsumer

 

  1. Customisation in the script Include
    1. Customisations in the SAML2_update1: Apply solution in SAML2_custom
    2. Customisations in the MultiSSO_SAML2_Update1: Apply solution in MultiSSOv2_SAML2_custom
    3. SAML2_update1_esig : Apply solution in SAML2_custom_esig

 

Column OOB implementation provides the file name where OOB implementation of methods is available. These scripts are read only. If customers want to make change, they will override the corresponding method in file provided in the column customisation in v2.

 

Overview of methods available in SMAL2_internal

 

OOB Authentication options for override Authn request options.

  1. forceAuthn

to set the forceAuthn in AuthnRequest

 

  1. isPassive

to set the AuthnRequest as passive in the script

 

  1. assertionConsumerServiceURL

to set the assertion Consumer Service URL in the script while building custom Authn Request

 

  1. assertionConsumerServiceIndex

to set the assertion Consumer Service index in the script while building custom Authn Request

 

  1. providerName

to set the provider name in the script while building custom Authn Request

 

  1. skipNavFrame

if a customer wants to render specific URLs/pattern without navigation frame, they can set skipNavFrame option. While generating relay state, nav_to will not be added to URL and page will be rendered without navigation frame.

 

  1. deepLink

if a customer wants to set a custom deep link/starting page for specific URLs/pattern, they can set this parameter. End user will always be redirected to that page post successful login.

 

 

Method available in SAML2_internal

 

getAuthnOptions : function() {

                                    var authGenerationOptions = {};

                                    if(this.isTestSAMLConnection()){

                                                      authGenerationOptions.forceAuthn = true;  

                                    }

                                    return authGenerationOptions;

                          },

 

 

Override in SAML2_custom like the example below

gs.include("PrototypeServer");

var SAML2_custom = Class.create();

SAML2_custom.prototype = Object.extend(new SAML2_internal(), {

                  initialize:function() {

                                    SAML2_internal.prototype.initialize.call(this);

                  },

                 

    getAuthnOptions : function() {

                                    var authGenerationOptions = {};

                                    if(this.isTestSAMLConnection())    {

                                                      authGenerationOptions.forceAuthn = true;  

                                   }

                                    //Customization for forceAuthn

           authGenerationOptions.forceAuthn = true;

                                    return authGenerationOptions;

                            },

 

                  type: 'SAML2_custom'

});

 

 

 

OOB  Method available for customising SAML response validation

Response validation options (true/false) available to support customizations.

  1. skip_responseissuer_check
  2. skip_assertionissuer_check
  3. skip_audiencerestriction_check
  4. skip_onetimeuse_check
  5. skip_proxyrestriction_check
  6. skip_inresponseto_check
  7. skip_sessionindex_check
  8. skip_unknown_attribute_check
  9. support_httppost_login_only

 

getValidationOptions:

 This method is to support customizations in SAML response validation.

 

Method available in SAML2_internal

getValidationOptions : function() {

                                    var responseValidationOptions = {};

                                    return responseValidationOptions;

                                },

 

Override in SAML2_custom like the example below.

gs.include("PrototypeServer");

var SAML2_custom = Class.create();

SAML2_custom.prototype = Object.extend(new SAML2_internal(), {

                  initialize:function() {

                                    SAML2_internal.prototype.initialize.call(this);

                  },

                 

                  getValidationOptions : function() {

                                    var responseValidationOptions = {};

                                    responseValidationOptions. skip_sessionindex_check=true;

                                    return responseValidationOptions;

                  },

 

                  type: 'SAML2_custom'

});

 

 

Customizing AuthN request

customizeAuthnRequest:

    if the Authn request customization cannot be achieved through the options available in getAuthnOptions method, customized Authn request can be build using GlideXML API and set the modified request using this method.

 

Method available in SAML2_internal

customizeAuthnRequest: function (xmlAuthnRequestElement) {

                                    return;

                  },

 

Override in SAML2_custom like the example below.

// create scope using request DOM

customizeAuthnRequest: function () {

                  //Customization through Request DOM Element

                  var xmlAuthnRequestElement = this.glidesaml2api.getGeneratedReqElemDOM();

                  var parentNameSpace = xmlAuthnRequestElement.getPrefix();

                  var scopingElement = GlideXMLUtil.newElement(xmlAuthnRequestElement, parentNameSpace + ":Scoping");

                  var idpListElement = GlideXMLUtil.newElement(scopingElement, parentNameSpace + ":IDPList");

                  var idpEntryElement = GlideXMLUtil.newElement(idpListElement, parentNameSpace + ":IDPEntry");

                  idpEntryElement.setAttribute('Name', 'uia.no');

                  idpEntryElement.setAttribute('ProviderID', this.getSSORecord().getValue('idp'));

                  this.glidesaml2api.setCustomizedReqElemDOM(xmlAuthnRequestElement); //this is mandatory if the DOM is customized

}

 

 

Customizing Logout request

customizeLogoutRequest: 

    customize the logout request similar to above example using GlideXML API and set the modified request using this method.

 

 

 

Additional Information

Apart from above, HTTP-POST redirect binding is available out of the box for authn requests in the IDP configuration form. so no customisations are needed to be written for it.

Article Information

Last Updated:2019-10-10 02:09:10
Published:2019-10-10